Like a sturdy chair, a comprehensive approach to school security needs four legs for strong support. Both the technology (physical and cyber products and services) and the people (planning and educating) are crucial for success. Park Hill School District in Kansas City, MO and Katy Independent School District in Katy, Texas both get that.

Planning with flexibility is an essential aspect of IT operations for Park Hill School District in Kansas City, MO, and security is at the core. The first mistake a lot of IT people in school districts make is to approach security with a single project in mind, says Mark Sandt, director of technology. "What I'll see happen in other districts is that somebody decides it's important to do video surveillance cameras. So they buy cameras, then they say, 'Oh, can our network support this?' If you're being reactive to those things, more often than not it'll cost more money and take a lot longer than people will be happy with."

Getting input and feedback is a key part of planning. Sandt taps a service advisory committee that advises the IT organization on service decisions. That group includes teachers, principals, technology reps, office staff, classified staff, and even a student from the high school.

Katy ISD, in Katy, Texas outside of Houston has a similar ethic about planning for security. Lenny Schad, CIO chose a video surveillance system that works with both analog and IP-based cameras. "I wanted to find a system that wouldn't 'fix' me to analog, and I wanted flexibility as IP cameras work the kinks out and become more affordable," he explains.

Another important aspect of those security planning is gaining an understanding of the district's level of risk tolerance. "I just had external company come in and do a risk evaluation," Schad says. "They looked at our capacity for risk -- what we're saying we're comfortable with from a risk perspective. They came back and said, 'Here's where you fit.' I was really pleased with the outcome of that."

That assessment enables Schad to gauge what kind of appetite district stakeholders will have for particular undertakings -- such as a project to allow students to use their own mobile devices on district campuses. "You have to get your staff and community to understand the need for and importance of security," he says. "They need to understand that risk point they're sitting at -- and decide if they're comfortable with it."

For internal threats, the 57,000-student district relies on multiple layers of security monitoring and prevention software on its PCs and servers. But that's just the start. Rather than simply trying to keep up with an ever-changing landscape of internal threats, Schad believes in educating district users to be responsible for their cyber security. That too takes multiple forms. The result, he believes, will be broader awareness of the problems internal breaches pose to all users.

"I have a real problem with the controls we're forced to do," Schad says. "For seven hours a day we wrap our kids in this really tight cocoon. We tell them where they can go and prevent them from doing these things. Then they walk out our doors and for 17 hours they're playing in the real world. I understand [Children's Internet Protection Act] compliance. I completely support it. But I think we've gone too far to the extreme. I want to talk about digital citizenship, so when kids walk out the door and go into the adult world, and they're on laptops in their bedrooms, they're better prepared than they are right now."

That push for personal responsibility also permeates Katy ISD's approach to acceptable use policies. According to a CDW-G survey, forty percent of districts report that they're enforcing their acceptable use policy in order to strengthen network security. But simply setting rules isn't enough, according to Katy's Schad. "I want people thinking not just, 'Here's what you have to do,' but 'This is how you behave appropriately in a digital world.' We're changing that mental framework from talking about expectations to talking about responsible use."

School districts all face comparable security problems and funding challenges. But the leading districts have figured out creative ways to use a variety of resources to layer on their security solutions. That requires examining all aspects of the security plan, making sure the infrastructure -- both technology platforms and staffing -- will support the new initiatives, and getting buy-in and participation from the district community. Security will not work without the surveillance cameras, internet filtering software and other software; those are crucial. Equally crucial however, is taking the time to plan for flexibility and investing in the people to ensure they use all the technology appropriately. The payoff -- safer, more secure schools -- is worth the effort.